Protection against wireless cracking

[Zelth]

Many topics here discuss how to crack a wireless network. But I would like to know how to protect myself against such attacks. Any help?

[hakk3d]

Have a good pass and hopefully the noobs wont be able to crack it, idk lol...
Change it daily?
Don't make it guessable, example: kahugafugena (yes I did just make that up)

Don't use a wireless router? That's all I can suggest, I'm not very good with networking..... just PHP

[myhexhax]

freeRADIUS with LDAP or some other authentication, or look into Cisco's wireless security hardware.. They had a demo of it at my tech expo, and it's pretty intense.

Don't listen to people that say hide your SSID or MAC filtering, both are easily overcome (SSID's are rebroadcast on 'improperly' configured cards, MAC spoofing, etc..) Also disabling DHCP makes it inconvenient for users on your network and is also not a measure of security..

[noOneSpecial]

WPA would be a good solution. try to avoid to use TKIP (use AES if possible). Also like hakk3d mentioned : a good long password will help as well. try to mix some additional special characters, ex : myPanDa12Goes*!45&tiMeSH(OME)@T
I think that would be hard to brute-force still someone can perform a deauthentification attack regardless of your encryption system/algorithm. And yes, having a totally "strange" ip host range 172.20.61.0/24 would be confusing for the attacker. But, can be over come with for example netdiscover

[dolphoneman]

Even though this is old, Special made it not so old!

Dispite what hax said, individually, those approaches prove to be easily over come, layered they are good security measures.

Adding to Special's information, use passwords that are at least eight characters long and include special characters and numbers. This idea is not only for router password, but any password one might need to use. An easy way to create a password is take a familiar phrase, use the first letter in each word of that phrase and then add special characters and numbers too it.

Dolph

[AtlasDark]

I've heard of some interesting software that returns connection calls with the designated IP as 127.0.0.1. Imagine the confusion if someone were to assume they were breaking into their lhost. Likely bypassed easily, though.

Bruteforcing won't be a viable option if one has a lengthy password with mixed digits, but there exists a plethora of methods out there - network penetration testing on one's own machine might give one an edge in understanding how such methods work. Try not to blow up your router.

[myhexhax]

Dispite what hax said, individually, those approaches prove to be easily over come, layered they are good security measures.

I strongly disagree. A paper door is easily broken into. 5 paper doors will help you no more.
If you'd like me to explain how I'd break into your hidden-ssid, MAC filtered, DHCP lacking wireless network, I can. None of the above are security, they never were, and they never will be.

I've heard of some interesting software that returns connection calls with the designated IP as 127.0.0.1. Imagine the confusion if someone were to assume they were breaking into their lhost. Likely bypassed easily, though.

You can do this with ARP poisoning. Just kindly inform them that every IP they want to access points to their MAC address. (this would be immediately apparent though, as they would not be able to connect to anything..) ARP poisoning is actually fairly hard to detect, as there is no authentication, and unless you already know the MAC addresses of whatever you are connecting to, and constantly monitor your ARP table, there is no way of knowing whether or not your connections are being funneled through another computer.

Bruteforcing won't be a viable option if one has a lengthy password with mixed digits, but there exists a plethora of methods out there

Using stronger passwords will help a bit, but most attacks on wireless encryption are via a side channel, like replaying/injecting packets to gain more information about the key, etc. The integrity of the password is not maintained (in that it is reduced to the X-bit key, via hashing the password with PBKDF2, and using the SSID as the salt), and the attack itself is rarely on the password itself. You can, of course, eliminate any worries about brute force attacks by not using PSK, by using an alternative authentication method (P/EAP). You then delegate access and have full control of how many times they can attempt to enter your network using a certain username and password..

(and wow, this was an old thread, I forgot that I even initially replied to this)

[noOneSpecial]

I strongly disagree. A paper door is easily broken into. 5 paper doors will help you no more.
If you'd like me to explain how I'd break into your hidden-ssid, MAC filtered, DHCP lacking wireless network, I can. None of the above are security, they never were, and they never will be.

Hidding SSD, mac filtering, DHCP lacking was never any "protection". Those where rather tricks to make life harder for ppl that try to break in using some online tutorials - this is how i see it.

You can do this with ARP poisoning. Just kindly inform them that every IP they want to access points to their MAC address. (this would be immediately apparent though, as they would not be able to connect to anything..) ARP poisoning is actually fairly hard to detect, as there is no authentication, and unless you already know the MAC addresses of whatever you are connecting to, and constantly monitor your ARP table, there is no way of knowing whether or not your connections are being funneled through another computer.

ARP poisoning is hard to detect ?? arpwatch is good to detect any strange arp activity on the network (I think you know the tool anyway).It could be hard to detect on your home network if you don't have any server type of a computer running 24/7 (I think only geeks would have that...) that monitors what is going on

[linkero]

mac filtering. just set it up to deny all except those you have on the list. also, on your router, make sure that the username is something thats not so.....guessable. and of course, the above comments about passwords.

[myhexhax]

Hidding SSD, mac filtering, DHCP lacking was never any "protection". Those where rather tricks to make life harder for ppl that try to break in using some online tutorials - this is how i see it.

True, although I'd argue that the topic is 'Protection against wireless cracking', not 'Protection against someone driving by and connecting to my network', which implies a slightly more malicious user. If they are going to try to 'crack' your encryption keys, then you'll need more than the above, but you know that. While they may deter a casual passerby, they will do nothing to stop anyone else that wants to get onto your network and is willing to spend the time to do so.

ARP poisoning is hard to detect ?? arpwatch is good to detect any strange arp activity on the network (I think you know the tool anyway).It could be hard to detect on your home network if you don't have any server type of a computer running 24/7 (I think only geeks would have that...) that monitors what is going on

True, it's easy to detect (relatively), as long as you have a monitoring program/IDS running, or utilize DHCP snooping. Remember that valid ARP entries will change too, like when a client disconnects and connects, and in turn is assigned a new IP address. You can also just have a static ARP cache/IP-MAC mapping and not allow changes to it, but this only works in non-DHCP environments. Unfortunately I have rarely seen any sort of ARP poisoning detection/prevention deployed in any environment I have worked in, including enterprise and corporate.

mac filtering. just set it up to deny all except those you have on the list.

No no no, it takes me 10 seconds to spoof my MAC address.

also, on your router, make sure that the username is something thats not so.....guessable

This only pertains to someone that has already connected to your network. If they have, you have bigger problems to worry about.